Every once in a while I question security controls, and the latest one I questioned was security questions.
I’m talking about those questions that financial sites like banking and credit card sites ask you when you log in. Not the ones used to reset your password (although this post applies to them too).
No, this won’t be a rant about the stupid questions that sites give you to chose from, such as your mother’s maiden name or what is your favorite color. I gave up questioning those issues long ago.
Free ACL tutorials are available on YouTube, along with a lot of videos with talking heads. The tutorials walk you through how to do a couple tests, but I found the video resolution to be rather poor. Maybe it’s my equipment, maybe it’s the result of a company trying to adapt some tutorials they already have to another delivery method.
Remember the Security Scout adventure where I roamed the basement of a major bank and found questionable security issues? If you missed it or need a refresher, read Major Bank Invites Hackers In?
Guess what happened at the bank?
A couple of weeks into a new job, I was told that I was now in charge of the Internet firewall. I suddenly realized I had two major problems:
- I did not know squat about firewalls.
- I did not know the firewall password.